Add bean to parse safedomain

Author: JoyChou93

src/main/java/org/joychou/Application.java

@@ -8,6 +8,7 @@
 import org.springframework.cloud.netflix.eureka.EnableEurekaClient;
 
 
+
 @ServletComponentScan // do filter
 @SpringBootApplication
 // @EnableEurekaClient  // 测试Eureka请打开注释，防止控制台一直有warning

src/main/java/org/joychou/config/CustomCorsConfig.java

@@ -20,10 +20,10 @@ public WebMvcConfigurer corsConfigurer() {
         return new WebMvcConfigurerAdapter() {
             @Override
             public void addCorsMappings(CorsRegistry registry) {
-                // 支持一级域名，因为重写了checkOrigin
-                String[] allowOrigins = {"joychou.org", "http://test.joychou.me"};
+                // 为了支持一级域名，重写了checkOrigin
+                //String[] allowOrigins = {"joychou.org", "http://test.joychou.me"};
                 registry.addMapping("/cors/sec/webMvcConfigurer") // /**表示所有路由path
-                        .allowedOrigins(allowOrigins)
+                        //.allowedOrigins(allowOrigins)
                         .allowedMethods("GET", "POST")
                         .allowCredentials(true);
             }

src/main/java/org/joychou/config/SafeDomainConfig.java

@@ -0,0 +1,28 @@
+package org.joychou.config;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+
+/**
+ * 为了不要每次调用都解析safedomain的xml，所以将解析动作放在bean里。
+ */
+@Configuration
+public class SafeDomainConfig {
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(SafeDomainConfig.class);
+
+    @Bean
+    public SafeDomainParser safeDomainParser() {
+        try {
+            LOGGER.info("SafeDomainParser bean inject successfully!!!");
+            return new SafeDomainParser();
+        } catch (Exception e) {
+            LOGGER.error("SafeDomainParser is null " + e.getMessage(), e);
+        }
+        return null;
+    }
+
+}

src/main/java/org/joychou/config/SafeDomainParser.java

@@ -0,0 +1,57 @@
+package org.joychou.config;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.core.io.ClassPathResource;
+import org.w3c.dom.Document;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
+
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import java.io.File;
+import java.util.ArrayList;
+
+public class SafeDomainParser {
+
+    private static Logger logger= LoggerFactory.getLogger(SafeDomainParser.class);
+
+    public SafeDomainParser(){
+
+        String safeTag = "safedomain";
+        String domainSafeTag = "domain";
+        String safeDomainClassPath = "url" + File.separator + "safe_domain.xml";
+        ArrayList<String> safeDomains = new ArrayList<>();
+
+        try {
+            // 读取resources目录下的文件
+            ClassPathResource resource = new ClassPathResource(safeDomainClassPath);
+            File file = resource.getFile();
+
+            DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+            DocumentBuilder db = dbf.newDocumentBuilder();
+            Document doc = db.parse(file);  // parse xml
+
+            NodeList rootNode = doc.getElementsByTagName(safeTag);
+            Node domainsNode = rootNode.item(0);
+            NodeList child = domainsNode.getChildNodes();
+            
+            for (int i = 0; i < child.getLength(); i++){
+                Node node = child.item(i);
+                if (node.getNodeName().equals(domainSafeTag)) {
+                    safeDomains.add(node.getTextContent());
+                }
+            }
+
+        }catch (Exception e){
+            logger.error(e.toString());
+        }
+
+        WebConfig wc = new WebConfig();
+        wc.setSafeDomains(safeDomains);
+    }
+}
+
+
+
+

src/main/java/org/joychou/config/WebConfig.java

@@ -3,6 +3,8 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Component;
 
+import java.util.ArrayList;
+
 
 /**
  * Solve can't get value in filter by @Value when not using embed tomcat.
@@ -19,6 +21,7 @@ public class WebConfig {
     private static String[] referUris;
     private static Boolean referSecEnabled = false;
     private static String businessCallback;
+    private static ArrayList<String> safeDomains= new ArrayList<>();
 
     /**
      * application.properties里object自动转jsonp的referer校验开关
@@ -91,4 +94,11 @@ public static String getBusinessCallback(){
         return businessCallback;
     }
 
+
+    public void setSafeDomains(ArrayList<String> safeDomains){
+        WebConfig.safeDomains = safeDomains;
+    }
+    public static ArrayList<String> getSafeDomains(){
+        return safeDomains;
+    }
 }

src/main/java/org/joychou/controller/Cors.java

@@ -20,8 +20,6 @@
 public class Cors {
 
     private static String info = "{\"name\": \"JoyChou\", \"phone\": \"18200001111\"}";
-    private static String[] urlwhitelist = {"joychou.org", "joychou.me"};
-
 
     @RequestMapping("/vuln/origin")
     public static String vuls1(HttpServletRequest request, HttpServletResponse response) {
@@ -108,7 +106,7 @@ public String seccode(HttpServletRequest request, HttpServletResponse response)
 
         // 如果origin不为空并且origin不在白名单内，认定为不安全。
         // 如果origin为空，表示是同域过来的请求或者浏览器直接发起的请求。
-        if ( origin != null && SecurityUtil.checkURLbyEndsWith(origin, urlwhitelist) == null ) {
+        if ( origin != null && SecurityUtil.checkURL(origin) == null ) {
             return "Origin is not safe.";
         }
         response.setHeader("Access-Control-Allow-Origin", origin);

src/main/java/org/joychou/controller/URLRedirect.java

@@ -75,14 +75,14 @@ public static void forward(HttpServletRequest request, HttpServletResponse respo
 
     /**
      * Safe code of sendRedirect.
-     * http://localhost:8080/urlRedirect/sendRedirect_seccode?url=http://www.baidu.com
+     * http://localhost:8080/urlRedirect/sendRedirect/sec?url=http://www.baidu.com
      */
-    @RequestMapping("/sendRedirect_seccode")
+    @RequestMapping("/sendRedirect/sec")
     @ResponseBody
-    public static void sendRedirect_seccode(HttpServletRequest request, HttpServletResponse response) throws IOException{
+    public void sendRedirect_seccode(HttpServletRequest request, HttpServletResponse response)
+            throws IOException{
         String url = request.getParameter("url");
-        String urlwhitelist[] = {"joychou.org", "joychou.com"};
-        if (SecurityUtil.checkURLbyEndsWith(url, urlwhitelist) == null) {
+        if (SecurityUtil.checkURL(url) == null) {
             // Redirect to error page.
             response.sendRedirect("https://test.joychou.org/error3.html");
             return;

src/main/java/org/joychou/controller/jsonp/JSONP.java

@@ -24,13 +24,11 @@
  * https://github.com/JoyChou93/java-sec-code/wiki/JSONP
  */
 
-
 @RestController
 @RequestMapping("/jsonp")
 public class JSONP {
 
-    private static String[] urlwhitelist = {"joychou.com", "joychou.org"};
-    private static String callback = WebConfig.getBusinessCallback();
+    private String callback = WebConfig.getBusinessCallback();
 
     // get current login username
     public static String getUserInfo2JsonStr(HttpServletRequest request) {
@@ -65,7 +63,7 @@ public String referer(HttpServletRequest request) {
     public String emptyReferer(HttpServletRequest request) {
         String referer = request.getHeader("referer");
 
-        if (null != referer && SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist) == null) {
+        if (null != referer && SecurityUtil.checkURL(referer) == null) {
             return "error";
         }
         String callback = request.getParameter(this.callback);
@@ -110,7 +108,7 @@ public ModelAndView mappingJackson2JsonView(HttpServletRequest req) {
     public String safecode(HttpServletRequest request) {
         String referer = request.getHeader("referer");
 
-        if (SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist) == null) {
+        if (SecurityUtil.checkURL(referer) == null) {
             return "error";
         }
         String callback = request.getParameter(this.callback);

src/main/java/org/joychou/filter/JsonpFilter.java

@@ -39,7 +39,6 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain filter
         HttpServletResponse response = (HttpServletResponse) res;
 
         String refer = request.getHeader("referer");
-        String[] jsonpReferWhitelist = WebConfig.getJsonpReferWhitelist();
         StringBuffer url = request.getRequestURL();
         String query = request.getQueryString();
 
@@ -50,7 +49,7 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain filter
         }
 
         // 校验jsonp逻辑，如果不安全，返回forbidden
-        if (SecurityUtil.checkUrlByGuava(refer, jsonpReferWhitelist) == null ){
+        if (SecurityUtil.checkURL(refer) == null ){
             logger.error("[-] URL: " + url + "?" + query + "\t" + "Referer: " + refer);
             response.setStatus(HttpServletResponse.SC_FORBIDDEN);
             response.getWriter().write("forbidden");
@@ -87,7 +86,7 @@ private boolean check(HttpServletRequest req) {
                 break;
             }
         }
-        if (StringUtils.isBlank(reqCallback)){
+        if(StringUtils.isBlank(reqCallback)){
             return false;
         }
 

src/main/java/org/joychou/filter/OriginFilter.java

@@ -20,8 +20,6 @@
 @WebFilter(filterName = "OriginFilter", urlPatterns = "/cors/sec/originFilter")
 public class OriginFilter implements Filter {
 
-    private static String[] urlwhitelist = {"joychou.org", "joychou.me"};
-
     @Override
     public void init(FilterConfig filterConfig) throws ServletException {
 
@@ -40,7 +38,7 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain filter
         logger.info("[+] Origin: " + origin + "\tCurrent url:" + request.getRequestURL());
 
         // 以file协议访问html，origin为字符串的null，所以依然会走安全check逻辑
-        if ( origin != null && SecurityUtil.checkURLbyEndsWith(origin, urlwhitelist) == null) {
+        if ( origin != null && SecurityUtil.checkURL(origin) == null) {
             logger.error("[-] Origin check error. " + "Origin: " + origin +
                     "\tCurrent url:" + request.getRequestURL());
             response.setStatus(response.SC_FORBIDDEN);

src/main/java/org/joychou/filter/ReferFilter.java

@@ -64,7 +64,7 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain filter
         String reqCallback = request.getParameter(WebConfig.getBusinessCallback());
         if ("GET".equals(request.getMethod()) && StringUtils.isNotBlank(reqCallback) ){
             // If the check of referer fails, a 403 forbidden error page will be returned.
-            if (SecurityUtil.checkURLbyEndsWith(refer, WebConfig.getReferWhitelist()) == null ){
+            if (SecurityUtil.checkURL(refer) == null ){
                 logger.info("[-] URL: " + request.getRequestURL() + "?" + request.getQueryString() + "\t"
                         + "Referer: " + refer);
                 response.setStatus(HttpServletResponse.SC_FORBIDDEN);

src/main/java/org/joychou/security/CustomCorsProcessor.java

@@ -29,26 +29,21 @@ protected String checkOrigin(CorsConfiguration config, String requestOrigin) {
         if (result != null) {
             return result;
         }
-
-        List<String> allowedOrigins = config.getAllowedOrigins();
-        if (StringUtils.isBlank(requestOrigin)
-                || CollectionUtils.isEmpty(allowedOrigins)) {
+        // List<String> allowedOrigins = config.getAllowedOrigins();
+        if (StringUtils.isBlank(requestOrigin)) {
             return null;
         }
 
-        return customCheckOrigin(allowedOrigins, requestOrigin);
+        return customCheckOrigin(requestOrigin);
     }
 
 
     /**
-     * 用host的endsWith来校验requestOrigin
+     * 校验requestOrigin
      */
-    private String customCheckOrigin(List<String> allowedOrigins, String requestOrigin) {
-
-        // list转String[]
-        String[] arrayAllowOrigins = allowedOrigins.toArray(new String[allowedOrigins.size()]);
+    private String customCheckOrigin(String requestOrigin) {
 
-        if ( SecurityUtil.checkURLbyEndsWith(requestOrigin, arrayAllowOrigins) != null) {
+        if ( SecurityUtil.checkURL(requestOrigin) != null) {
             logger.info("[+] Origin: "  + requestOrigin );
             return requestOrigin;
         }